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DETAILED ACTION 
Claim Objections 

Claim 1 1 is objected to because of the following informalities: There appear to be terms 
missing in claim 11. It is unclear what is being compared after the term "the asset" on 
line 3. The examiner is interpreting the claim that it is determined that no further attack 
along the attack path would be successful if there are no further exploits associated with 
the asset, where the existing access is lesser than the prerequisite access associated with 
the exploit. 

Appropriate correction is required. 

Claim Rejections - 35 USC §102 

The following is a quotation of the appropriate paragraphs of 35 U.S. C. 102 that form the 

basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 



Claims 1-21 are rejected under 35 U.S.C. 102(e) as being anticipated by Cohen US 
6,952,779. 
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As per claims 1, and 21 Cohen teaches identifying a threat agent (attacker) having an 
existing access level (having access to web server 246) (Col 6 lines 5-7, lines 20-25). 
Cohen teaches using the existing access level to analyze an attack path between the threat 
agent and an asset (start and end points for attack path) (Col 6 lines 48-54, Col 7 lines 1- 
7). Cohen teaches updating the existing access level if the analysis of the attack path 
between the threat agent and the asset indicates that an attack along the path would be 
successful (implementing fixes to deprive attackers from being able to access the asset) 
(disabling DDE, patching servers, disabling rlogin access, )(Col 9 lines 35-40, Col 17 
lines 10-23). 

As per claim 2, Cohen teaches using the existing access level to analyze an attack path 
between the threat agent and an asset comprises identifying a vulnerability associated 
with the asset (identifying vulnerabilities) (Col 2 line 60). 

As per claim 3, Cohen teaches using the existing access level to analyze 
an attack path between the threat agent and an asset comprises identifying an exploit 
method associated with a vulnerability associated with the asset (calculating attacks, 
exploits and targets) (Col 9 lines 8-17) 

As per claim 4, Cohen teaches the exploit method has associated with it a 
prerequisite access level (precondition, access to web server 246) required to use the 
exploit method to exploit the vulnerability successfully (teaches the exploit has access 
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that will be used to exploit vulnerability, such as using buffer overflow attack to access 
web server 246) ( Col 14, table, Col 15 lines 54-61) . 

As per claim 5, Cohen teaches using the existing access level to analyze 
an attack path between the threat agent and an asset comprises comparing the existing 
access level to the prerequisite access level (analyze attack path using existing access 
level to collect preconditions and exploit them) (Col 13 line 18 to Col 14 line 18). 

As per claim 6, Cohen teaches determining whether a control 

affects the prerequisite access level (determining whether a server patch or firewall 

affects access level) (Col 17 lines 10-15). 

As per claim 7, Cohen teaches the exploit has associated with it a resulting access level 
(access to administration server 254, or application server 262) that may be attained by 
using the exploit to exploit the vulnerability successfully ( gaining control of web server 
to further gain access to other servers using exploits) ( Fig 5, Col 14 table, Col 15 lines 
48-61) . 

As per claim 8, Cohen teaches determining whether a control 

affects the prerequisite access level (determining whether a server patch or firewall 

affects access level) (Col 17 lines 10-15). 
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As per claim 9, Cohen teaches updating the existing access level if the 
analysis of the attack path between the threat agent and the asset indicates that an attack 
along the path would be successful comprises updating the existing access level to 
include the resulting access level if it is determined that the threat agent has used or could 
use the exploit (if the threat is successful in exploiting a vulnerability the existing access 
level, web server access, is updated to the resulting access level, access to admin and 
application servers). 

As per claim 10, Cohen teaches iteratively (scheduled frequencies) updating the existing 
access level (access to web server) including computing a transitive closure (checking all 
paths) until the analysis of the attack path between the threat agent and the asset indicates 
that no further attack along the attack path would be successful (checking all possible 
attack routes with systems that run on scheduled frequencies specified by user to analyze 
the system, fix/patch and analyze again in an iterative pattern) (Col 10 lines 35-40, 53-60, 
62-67, Col 11 lines 40-50). 

As per claim 11, Cohen teaches determining that no further attack along the attack path 
would be successful if there are no further exploits (buffer overflow attack) associated 
with the asset for which the existing access (web server access) of the threat agent 
(attacker, is updated to reflect any resulting access (access to admin or application server) 
that has been or would be attained from the successful completion of previously-analyzed 
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exploits (buffer overflow exploit), is greater than or equal to the prerequisite access (web 
server access) associated with the exploit, (checking all possible attack routes with 
systems that runs repeatedly to analyze the system, fix/patch and analyze again in an 
iterative pattern) (Col 10 lines 35-40, 53-60, 62-67, Col 17 lines 8-22). 

As per claim 12, Cohen teaches determining whether the asset is subject to compromise 
by the threat agent (attack simulation and determined consequences)(Col 8 lines 7-15). 

As per claim 13, Cohen teaches determining whether a control affects the existing access 
level of the threat agent (preventing buffer overflows by patching web servers) (Col 17 
lines 13-20) 

As per claim 14, Cohen teaches updating the existing access level (access to web server 
246) to reflect the affect of the control prior to using the existing access level to analyze 
an attack path between the threat agent and an asset (fixing the buffer overflow exploit 
with a patch (control), and retesting to determine attack success between agent and asset) 
(Col 10 lines 35-50, Col 17 lines 13-20). 

As per claim 15, Cohen teaches receiving from a network security system or application 
data comprising an identification of the threat agent (identifying possible attacks) (col 7 
lines 5-10). 



Application/Control Number: 10/775,758 . Page 7 

Art Unit: 2134 

As per claim 16, Cohen teaches receiving from a network security system or application 
data that may be used to identify the threat agent (data collected by discovery agents) 
(Col 10 lines 43-46). 

As per claim 1 7, Cohen teaches providing output data reflecting a result of the analysis of 
the attack path (generates a list of attacks) (Col 10 lines 49-53). 

As per claim 18, Cohen teaches a report of the highest level of access that has been or 
could be achieved by the threat agent through one or more attacks along the attack path 
(calculates endpoints including ultimate endpoints, and damage through attack path) (Col 
8 lines 30-55). 

As per claim 19, Cohen teaches using the existing access level further 

includes evaluating recorded data to determine the attack path (teaches evaluating data 

collected and recorded about vulnerabilities and attack simulations) (Col 10 lines 40-50). 

As per claim 20, Cohen teaches the attack path is determined by 
computing a transitive closure (checking possible paths) (Col 7 lines 1-8). 



Conclusion 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Christopher J. Brown whose telephone number is 
(571)272-3833. The examiner can normally be reached on 8:30-6:00. - 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571)272-381 1. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO 
Customer Service Representative or access to the automated information system, call 
800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Christopher J. Brown 9/25/07 




